Project

General

Profile

Actions

Feature #5007

open

CertificateBundle fetcher

Added by Junxiao Shi about 5 years ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
3.00 h

Description

Implement CertificateBundle fetcher API, as specified in #2766-30.

This issue includes these types:

  • CertBundleFetcher

Related issues 2 (2 open0 closed)

Blocked by ndn-cxx - Feature #5004: CertificateBundle encoding and decodingIn Progress

Actions
Blocks NLSR - Task #3950: Use CertificateBundleFetcher instead of DirectFetcherNewMuktadir Chowdhury02/06/2017

Actions
Actions #1

Updated by Junxiao Shi about 5 years ago

  • Blocked by Feature #5004: CertificateBundle encoding and decoding added
Actions #2

Updated by Alex Afanasyev over 4 years ago

  • Tags changed from CertificateBundle to CertificateBundle, security
Actions #3

Updated by Jeremy Clark over 4 years ago

Could you give an example of how an application would call the CertificateBundleFetcher?

Specifically, I don't understand this:

Upon receiving a certificate request, this fetcher retrieves a certificate bundle registered by
addBundle() if matched, or deriveCertBundleName(certName) otherwise.

What does it mean for it to receive a certificate request?

This fetcher hooks onto the segment in-order arrival signal and passes the segment to an internal
CertBundleDecoder, and inserts decoded certificates into the CertificateStorage.

For this part, does it just insert the certificates into the unverified cache?

Actions #4

Updated by Jeremy Clark over 4 years ago

Am I correct in my understanding that the CertifcateBundleFetcher uses the SegmentFetcher internally to fetch the bundle? If so, how does the application pass a reference to the validator?

Actions #5

Updated by Alex Afanasyev over 4 years ago

You may be misunderstanding this issue or I didn't correctly understand your question. CertBundleFetcher would be similar to CertificateFetcherFromNetwork, just instead of fetching a single cert, it would try to fetch the bundle. But overall, it would use the same interface.

Actions #6

Updated by Jeremy Clark over 4 years ago

Per the design posted here: (https://redmine.named-data.net/issues/2766#note-30)

Retrieval of a single certificate bundle should be handled by SegmentFetcher.
This fetcher hooks onto the segment in-order arrival signal and passes the segment to an internal
CertBundleDecoder, and inserts decoded certificates into the CertificateStorage.

This is the reason I've written the Segementer and added in-order mode to the SegmentFetcher. Since a cert bundle may be made up of multiple segments, the SegmentFetcher is used here. My question is whether the SegmentFetcher exists internally and the API design is missing where the calling application can pass a reference to the Validator, or if it exists as I think it does and I'm just missing something about how it's constructed, or if I'm completely misunderstanding and the CertBundleFetcher does not use the SegementFetcher internally.

Actions #7

Updated by Alex Afanasyev over 4 years ago

The fetcher instance should be created and stored inside the ValidationState instance (the one you get as a parameter inside the CertificateFetcher interface). ValidationState supports TagHost interface.

Actually, we already have CertificateBundleFetcher that uses BundleNameTag. If you need to preserve the instance of the fetcher, you either rename the tag and store both (name + fetcher) or create a new tag (I prefer having a single tag).

Actions #8

Updated by Jeremy Clark over 4 years ago

I see where I was misunderstanding before. But I'm still unsure how to create a SegementFetcher instance inside the ValidationState instance without some access to a Validator reference necessary for the SegementFetcher constructor.

Actions #9

Updated by Alex Afanasyev over 4 years ago

Ehm. This is not the place to do the validation, the job here is simply to fetch stuff. The certificate will be validated by the higher-level logic.

Actions #10

Updated by Jeremy Clark over 4 years ago

What do you suggest I do about the validator requirement for the SegmentFetcher? https://github.com/named-data/ndn-cxx/blob/09236c2b8d6d39218d22cdd5dd8d9bf9e5a1f352/ndn-cxx/util/segment-fetcher.hpp#L161

Actions #11

Updated by Alex Afanasyev over 4 years ago

Use ValidatorNull, though yes, you still need to create and keep an instance of it in the tag.

Actions #12

Updated by Davide Pesavento over 3 years ago

  • Target version changed from 0.8.0 to 0.9.0
Actions #13

Updated by Davide Pesavento about 1 year ago

  • Tags changed from security, CertificateBundle to CertificateBundle
  • Assignee deleted (Jeremy Clark)
  • Target version deleted (0.9.0)
Actions #14

Updated by Davide Pesavento about 1 year ago

  • Blocks Task #3950: Use CertificateBundleFetcher instead of DirectFetcher added
Actions

Also available in: Atom PDF